|
Naziv
|
Serialized Data External Linking
|
|
Sažetak
|
An attacker creates a serialized data file (e.g. XML, YAML, etc...) that contains an external entity reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.
|
|
Preduvjeti
|
The target must follow external entity references without validating the validity of the reference target.
|
|
Rješenja
|
Configure the serialized data processor to only retrieve external entities from trusted sources.
|
